NetScaler ingress controller

Deploy NetScaler Ingress Controller as a standalone pod by using NetScaler Operator

May 2, 2025

Contributed by:

You can deploy NetScaler IPAM Controller as a standalone pod in an OpenShift cluster for IP address management by using NetScaler Operator. When you create a service of type LoadBalancer or Ingress, you can use the NetScaler IPAM controller to automatically allocate an IP address. Once the IPAM controller is deployed, it allocates IP address to services of type LoadBalancer or Ingress from predefined IP address ranges. The NetScaler ingress controller configures the IP address allocated to the service as virtual IP address (VIP) in NetScaler MPX or VPX that is deployed as an ingress device or router for an application running in the OpenShift cluster. The following diagram explains the topology:

IPAM Controller

Prerequisites

The following are the prerequisites for deploying NetScaler Ingress Controller as a standalone pod using NetScaler Operator:

Have Red Hat OpenShift Cluster (version 4.11 or later).
Deploy NetScaler Operator. For information on how to deploy NetScaler Operator, see Deploy NetScaler Operator.
Deploy NetScaler Ingress Controller to configure service or ingress on NetScaler VPX for which NetScaler IPAM is allocating the IP address. For information on how to deploy NetScaler Ingress Controller, see Deploy NetScaler Ingress Controller.

Deployment steps

Log in to the OpenShift 4.x Cluster Console.
Allocate IP to an Ingress Using NetScaler IPAM Controller.

Allocate IP for an Ingress for Apache application.

Navigate to Networking > Ingress > Create Ingress.

Use the YAML (like the following one) to create the ingress. Ensure that you have the required annotation for IPAM, which allocates an IP address for the ingress. This IP address gets configured as the VIP address on NetScaler VPX by the NetScaler Ingress Controller.

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
    # IPAM uses the below annotation to select the IP Range, from which it will allocate IPs
    ingress.citrix.com/ipam-range: ingress-range
name: apache-ingress
spec:
ingressClassName: nsic-vpx
rules:
- host: citrix-ingress-operator.com
    http:
    paths:
    - backend:
        service:
            name: apache
            port:
            number: 80
        path: /
        pathType: ImplementationSpecific
---

 

Allocate IP to a Service of Type LoadBalancer.

Navigate to Networking > Services > Create Service.

Use the following YAML to create the service. Ensure that you have the required annotation for IPAM, which allocates an IP address for the service. This IP address gets configured as the VIP address of NetScaler VPX by the NetScaler Ingress Controller.

---
apiVersion: v1
kind: Service
metadata:
name: apache-lb
labels:
    app: apache
annotations:
    # CIC uses the below annotation to select services to be configured on NetScaler VPX/MPX
    service.citrix.com/class: 'nsic-vpx'
    # IPAM uses the below annotation to select the IP Range, from which it will allocate IPs
    service.citrix.com/ipam-range: 'service-range'
spec:
type: LoadBalancer
ports:
- name: http
    port: 80
    targetPort: http
selector:
    app: apache
---

 

Navigate to Operators > Installed Operators and click NetScaler Operator.
Click the NetScaler IPAM Controller tab and select Create NetScalerIPAMController. The NetScaler IPAM Controller YAML definition is displayed.

Optionally, you can select the Form view button and update the parameters in a form. Refer to the Mandatory and Optional Parameters section that lists the mandatory and optional parameters that you can configure during installation. You can configure other available parameters depending on your use case.
Notes:
- Ensure that the acceptLicense parameter is set to Yes.
- It is mandatory to provide values for the parameters on localIPAM or Infoblox.
- Provide clusterName if you want to use Infoblox.
After updating the values for the required parameters, click Create
Ensure that NetScaler IPAM Controller is successfully deployed and initialized. Navigate to Workloads > Pods section and verify whether NetScaler IPAM Controller pod is up and running.

Verify the deployment by checking the logs. Also, for ingress, you can check the ingress status to confirm that the IP address is allocated to ingress by NetScaler IPAM Controller.

Ingress Status

root@master:~/Citrix/openshift# oc get ing
NAME             CLASS      HOSTS                         ADDRESS     PORTS   AGE
apache-ingress   nsic-vpx   citrix-ingress-operator.com   1.1.1.166   80      5s
root@master:~/Citrix/openshift# oc get vip
NAME                     VIP         AGE
ingress-apache-ingress   1.1.1.166   7s

 

For service type LB, you can check the service External-IP field to confirm that IP is allocated to the service by NetScaler IPAM Controller.

Service Status

root@master:~/Citrix/openshift# oc get svc
NAME        TYPE           CLUSTER-IP       EXTERNAL-IP   PORT(S)        AGE
apache-lb   LoadBalancer   172.30.243.206   2.2.2.2       80:32498/TCP   7s
root@master:~/Citrix/openshift# oc get vip
NAME                     VIP         AGE
service-apache-lb        2.2.2.2     16s

 

Parameters for NetScaler IPAM Controller

Mandatory and Optional Parameters

Parameter	Mandatory/Optional	Default Value	Description
image	Mandatory	quay.io/netscaler/netscaler-ipam-controller@sha256:7c25b59a2e1df0e4f5615a779a9bea939c60a3eca065cb6c2295daf0d03831d8	The NetScaler IPAM Controller image details.
pullPolicy	Mandatory	IfNotPresent	The NetScaler IPAM Controller image pull policy.
reuseIngressVip	Optional	True	Allows using the same IP for all ingresses using the same `vipRange`.
clusterName	Mandatory if infoblox.enabled is true	N/A	Identifies the cluster in which the IPAM controller is deployed.
tokenExpirationSeconds	Mandatory	31536000	Time in seconds when the token of serviceAccount expires.

Local IPAM Parameters

Parameter	Mandatory/Optional	Default Value	Description
vipRange	Mandatory	N/A	Provides the IPAM VIP Range.

Infoblox Parameters

Parameter	Mandatory/Optional	Default Value	Description
gridHost	Mandatory if infoblox.enabled is true	N/A	Infoblox grid host IP or FQDN.
credentialSecret	Mandatory if infoblox.enabled is true	N/A	Infoblox credentials.
httpTimeout	Optional	10	Infoblox client HTTP timeout in seconds.
maxRetries	Optional	3	Infoblox client max retries on failure.
netView	Optional	default	Infoblox NetView.
vipRange	Mandatory	N/A	Infoblox IPAM VIP Range.

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Was this helpful

NetScaler Secure Deployment Guide

Deploy NetScaler Ingress Controller as a standalone pod by using NetScaler Operator

May 2, 2025

Contributed by:

Deploy NetScaler Ingress Controller as a standalone pod by using NetScaler Operator

Prerequisites

Deployment steps

Parameters for NetScaler IPAM Controller

Mandatory and Optional Parameters

Local IPAM Parameters

Infoblox Parameters

In this article